MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ba16889c485514ebaecaded7ef1b207f53d9ea0478492e32051adff9a491c5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	6ba16889c485514ebaecaded7ef1b207f53d9ea0478492e32051adff9a491c5d
SHA3-384 hash:	8cf1f59b2083efcecce31a6363bb2ecdd6a71d44e0fa5b8e6cba2463763f531a5dc839c846e9272e1d692de0132aa5c3
SHA1 hash:	fd74ec41ba4b2673ca8e88fb71d7730e32bcd5f5
MD5 hash:	dab0ae8d2c68d6a2fa002ac5facd7335
humanhash:	lake-connecticut-fillet-pluto
File name:	USPS Parcel.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	263'680 bytes
First seen:	2020-06-23 20:35:23 UTC
Last seen:	2020-06-23 21:47:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a4fac8e82f76164862f459c49ddbbcb5 (1 x NanoCore)
ssdeep	6144:BgbazoObQN47h1e8tQbSzn5GwAd+yf6bOo+KJiPeDu:JINOeTmzn0wAnoOo+0u
Threatray	1'215 similar samples on MalwareBazaar
TLSH	9D44F145346184E2F2D803703CD6EE78F636C8426E531327A65F66C689B1285BF4AFDE
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT USPS

abuse_ch

Malspam distributing NanoCore:

HELO: zimbra.fcjcorp.com
Sending IP: 54.158.42.8
From: USPS <pedro.henrique@medbeta.com.br>
Reply-To: noreply@accounts.com
Subject: Parcel
Attachment: USPS.IMG (contains "USPS Parcel.exe")

NanoCore RAT C2:
u852121.nvpn.to:3410 (91.192.100.17)

Pointing to nVpn:

% Information related to '91.192.100.1 - 91.192.100.63'

% Abuse contact for '91.192.100.1 - 91.192.100.63' is 'abuse@libertas-international.eu'

inetnum: 91.192.100.1 - 91.192.100.63
netname: LIBERTAS_NETWORK
remarks: ----------------------------------------------
remarks: Libertas Network is a VPN service provider.
remarks: We have a strict non-logging policy, therefore
remarks: we don't record any logs on our servers.
remarks: ----------------------------------------------
country: CH
admin-c: LNAD1-RIPE
org: ORG-LNVS1-RIPE
tech-c: LNAD1-RIPE
status: ASSIGNED PA
mnt-by: MNT-DA327
created: 2019-12-12T08:51:11Z
last-modified: 2020-02-10T07:01:46Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/13292/

Detection(s):

SecuriteInfo.com.Variant.Razy.674687.3247.24348.UNOFFICIAL

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/6ba16889c485514ebaecaded7ef1b207f53d9ea0478492e32051adff9a491c5d/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-06-23 20:37:03 UTC

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=noqwrcoeqviu5oxmvxwx54nsa72t3hvai6cjfyzakgw77gsjdroq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

0e60fbf96ee79935f57b028842bdab9f9b6c08787e0a477f5f20dcd5be5599d7

NanoCore

21dba41b37835f29fa4166786b44915d69109229a0fd19ee46d14cb2afa7c35b

NanoCore

53ed711a60623cc2ada6781f627ba8729f51b2bfa2bea7736b7a7d7419eba592

NanoCore

5e450f5b1dcc1499278d77c4adffa991cb9795b8f9b2cf5ce9a684ee90052918

NanoCore

81bbe1968e2d3dd8206dc0ae4378895158e08efc7735f4ad1dd2bb5310b5b12d

NanoCore

84087e77b6088ef6e3d9a61f088ea5c6b6cb9bf1c7d852df6a12e745ab112c11

NanoCore

b4a60a5fdddebf1351aa77b5ae1b850c8f53312cbe7e3792a0adbd3a458c70ba

NanoCore

cd041f14ff9c62fb4e6c474dbfb2dc8905b1680c8d58063d7e24381cef97a779

NanoCore

d83d25cdeec57d8bdb0ae70c21d60f32645a2fa21f3f7792774b5ad3bffce9b5

NanoCore

+ 1'205 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200624-mwxj9hvgfn/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

u852121.nvpn.to:3410

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

fc068f3c5523402165d8543d4f0e2f06

NanoCore

exe 6ba16889c485514ebaecaded7ef1b207f53d9ea0478492e32051adff9a491c5d

(this sample)

Dropped by

MD5 fc068f3c5523402165d8543d4f0e2f06

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/13292/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample